SamePlace

Bug #308181
Comment #143

Comment 143 for bug 308181

Revision history for this message

In Mozilla Bugzilla #342242, WhyNotHugo (whynothugo) wrote on 2013-01-04:

#143

(In reply to Ben Bucksch (:BenB) from comment #54)
> > 2) Is inheretly insecure ... HTTP
>
> So is DNS (at least without DNSSEC)

So rfc6186 provides secure autoconfiguration for domains that implement DNSSEC. There's no way to achieve secure autoconfiguration with this mechanism, since HTTP provides no security mechanism.

However, my strongest point is it's non-standardness, while rfc6186 is standard, and grants total control (and optional security) to the ISP.
Also, there's no reason both autoconfiguration mechanisms can't exist.

(In reply to Andrew Sutherland (:asuth) from comment #55)
> (In reply to Hugo Osvaldo Barrera from comment #53)
> > 4) Only thunderbird uses this information. If each email client had it's
> > own non-standard mechanism, then ISPs would have a huge burden to update
> > each of them with new information when they change their email server.
>
> Evolution uses it too, although it looks like they host their own copy of
> the database. Check out:
> http://git.gnome.org/browse/evolution/tree/mail/e-mail-autoconfig.c
> which uses a (sadly non-SSL) base url of:
> http://api.gnome.org/evolution/autoconfig/1.1/

Sadly, this is a perfect example of how rfc6186 is superior, since every email server's configuration is in it's owner's DNS server.

>
> The upcoming Firefox OS Gaia e-mail client also uses the ISP database too.
>
>
> Note: Neither this nor I believe Ben's comments are meant to suggest that we
> don't want to support DNS SRV. Unfortunately, it's still a non-trivial
> undertaking to get the support in the gecko platform that has not been
> prioritized on the platform side. For Firefox OS v2 we are hoping to get it
> prioritized.

Actually, there's an alternate fix for this issue; if Mozilla's ISPDB contains no information related to a particular domain, it could query it using rfc6186, and return that.

This means that Thunderbird would still [indirectly] resolve using rfc6186, with no actual changes to the client code.

(In reply to Ben Bucksch (:BenB) from comment #54)
> > 2) Is inheretly insecure ... HTTP
> 
> So is DNS (at least without DNSSEC)

So rfc6186 provides secure autoconfiguration for domains that implement DNSSEC. There's no way to achieve secure autoconfiguration with this mechanism, since HTTP provides no security mechanism.

(In reply to Andrew Sutherland (:asuth) from comment #55)
> (In reply to Hugo Osvaldo Barrera from comment #53)
> >  4) Only thunderbird uses this information. If each email client had it's
> > own non-standard mechanism, then ISPs would have a huge burden to update
> > each of them with new information when they change their email server.
> 
> Evolution uses it too, although it looks like they host their own copy of
> the database.  Check out:
> http://git.gnome.org/browse/evolution/tree/mail/e-mail-autoconfig.c
> which uses a (sadly non-SSL) base url of:
> http://api.gnome.org/evolution/autoconfig/1.1/

Sadly, this is a perfect example of how rfc6186 is superior, since every email server's configuration is in it's owner's DNS server.

> 
> The upcoming Firefox OS Gaia e-mail client also uses the ISP database too.
> 
> 
> Note: Neither this nor I believe Ben's comments are meant to suggest that we
> don't want to support DNS SRV.  Unfortunately, it's still a non-trivial
> undertaking to get the support in the gecko platform that has not been
> prioritized on the platform side.  For Firefox OS v2 we are hoping to get it
> prioritized.

Actually, there's an alternate fix for this issue; if Mozilla's ISPDB contains no information related to a particular domain, it could query it using rfc6186, and return that.

This means that Thunderbird would still [indirectly] resolve using rfc6186, with no actual changes to the client code.